Timo Sirainen wrote:
On Wed, 2008-10-29 at 09:49 -0400, Albert E. Whale wrote:
I have been using UW's IMAP server and I am converting to Dovecot for Maildir support.
When a user fails authentication, or a user does not exist, it appears that the same message is used for these events.
Is there a way to indicate that the user does not exist (Invalid user), and authentication Failure (Failed Password)?
To user: no. In logs: yes, with auth_verbose=yes.
Timo, Thank you. I already have auth_verbose=yes.
Here is what I am seeing:
Oct 29 09:43:31 192.168.50.5 dovecot: pop3-login: Aborted login (auth failed, 1 attempts): user=<darrin>, method=PLAIN, rip=217.168.145.51, lip=66.207.133.234 Oct 29 09:43:34 192.168.50.5 dovecot: auth-worker(default): pam(darrin,217.168.145.51): pam_authenticate() failed: Authentication failure Oct 29 09:43:36 192.168.50.5 dovecot: pop3-login: Aborted login (auth failed, 1 attempts): user=<darrin>, method=PLAIN, rip=217.168.145.51, lip=66.207.133.234 Oct 29 09:43:38 192.168.50.5 dovecot: auth-worker(default): pam(darrin,217.168.145.51): pam_authenticate() failed: Authentication failure Oct 29 09:43:40 192.168.50.5 dovecot: pop3-login: Aborted login (auth failed, 1 attempts): user=<darrin>, method=PLAIN, rip=217.168.145.51, lip=66.207.133.234
These attempts to authenticate Darrin will not complete, as this is not a valid user. The IP Address 217.168.145.51 was cycling through 1364 attempts. I would like to identify this type of activity sooner, as this is not a valid user.
-- Albert E. Whale, CHS CISA CISSP Sr. Security, Network, Risk Assessment and Systems Consultant
ABS Computer Technology, Inc. <http://www.ABS-CompTech.com> - Email, Internet and Security Consultants SPAMZapper <http://www.Spam-Zapper.com> - No-JunkMail.com <http://www.No-JunkMail.com> - *True Spam Elimination*.